On the heels of the 2020 RSA Conference, its organizers named some of the biggest cybersecurity risks for the years to come. Chief among them was the concern that while DevOps speeds up software development, it can also significantly increase security risks. What are those risks specifically, and how can organizations secure the software development lifecycle (SDLC) from the start and at scale?
Credential theft is already a well-known adversary technique described in the MITRE ATT&CK framework, but the risk expands much wider than simply compromised passwords. In large organizations today, development and operations teams use thousands of secrets (e.g., API keys, security certificates, etc.) to connect a complex array of application building blocks, from cloud infrastructure to databases, SaaS components, and more.
This interconnection means more people need access to secrets than ever before. As a result, secrets frequently get hardcoded into source code and ultimately end up in version control systems like git with surprising regularity.
In addition, unlike other vulnerabilities which expose themselves after deployment, security misconfigurations or cross-site scripting for example, exposed secrets are a risk throughout the entire software development lifecycle.
Under modern organizations’ structure and DevOps practices where teams are distributed, developers have many technologies to master. And with the preference for shortened release cycles, it’s easy to see how risk becomes magnified quickly.
“With DevOps, existing security vulnerabilities can be magnified and manifest themselves in new ways. The speed of software creation can mean new vulnerabilities are created unseen by developers. The solution is to build security monitoring into the DevOps process from the start. This requires cooperation and trust between the CISO and the DevOps team.”
Greg Day, RSA Conference Organizer, The Biggest Cybersecurity Risks in 2020
The result of all this complexity is secret sprawl — that is, unwanted distribution of these secrets across all the systems developers use. As teams become larger and more distributed, the risk of secret sprawl becomes greater. It gets harder to prevent secret sprawl.
While developer education is important and secrets management solutions are helpful, only automated secrets detection can really mitigate this growing risk at scale.
In theory, implementing automated secrets detection is simple:
- Scan existing code history (all commits from all branches in all projects) to start on a clean basis.
- Then continuously scan all incremental changes every time a new commit is pushed to any branch of any project.
But as with many automated processes the reality is much more complex. There are decisions to make about where to implement automated secrets detection in the SDLC as well as tradeoffs on the sensitivity of detection. Those tradeoffs need to be properly evaluated and rooted in business knowledge to determine the right path forward.
For a simple and relatable example, think about a fraud detection system at a bank — detection is probabilistic, so at some point, someone needs to draw a line in the sand: how high does the probability that a transaction is fraudulent have to be to take action? And when in the process should the customer be alerted?
“CIOs...should drive cybersecurity priorities and investments by using an outcome-driven approach that balances investment and risk with the needs to achieve desired business outcomes.”
Gartner, The Urgency to Treat Cybersecurity as a Business Decision, 12 February 2020
Automated secrets detection is similar. What is an acceptable number of false secret detection alerts, and how do those impact the business? On the other hand, what is the cost of a missed secret? And should hooks be placed client- or server-side to achieve the optimal results?
This just scratches the surface on automated secrets detection as a scalable solution, and it would be naïve to say that automated secrets detection comes without challenges or complexities in and of itself.
Get a complete walk-through on how to implement automated secrets detection, the challenges, and potential solutions, plus a look at how GitGuardian can help, in the complete white paper.